General protection. I don't have any web server, database server not ftp or sshd.

So basically, it sounds like the packets that would trigger snort alerts would have been blocked by pf anyway. Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).

Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).

Any concrete examples?
How to fill out the table with list of blocked ips?
My current pf block syntax is:
block drop log

The Email chain referenced included an example to test functionality, using ICMP traffic initiated from a test system.

The email chain from Lawrence showing there is pf inbound packet using pass in syntax but i don't have any pass in traffic to serve in my environment. I just want to check for every packet of outbound to the equivalent inbound packet for virus scanning and etc.

Sorry to dredge up an old thread, but as I've had some success with this, and haven't seen anything newer, I thought I'd post some information for anyone who needs it.

As noted above, pf can redirect packets from kernel space to user space using divert packets, like the following (on a box placed between the world and the gateway machine):

Code:

WAN_IF=em0
LAN_IF=em1
LON_IF=lo0
# the gateway WAN address
GATEWAY="192.168.1.2"
set skip on $LON_IF
set skip on $LAN_IF
block in all
block out all
# Allow IPS to communicate with the world for Snort rule updates, etc.
pass out on $WAN_IF from ($WAN_IF) to any
pass on $WAN_IF from $GATEWAY to any binat-to ($WAN_IF:0) divert-packet port 700

This makes no attempt to do any significant firewall filtering, as the two pass statements should cover just about everything. Obviously, other firewall filtering could be added.

The key is the "divert-packet" statement (NOT "divert-to" or "divert-reply"), which redirects all packets passing through the IPS to divert socket 700. Without anything listening on that socket and re-injecting the packets, nothing should pass through.

On the Snort side, the use of the "ipfw" Snort data acquisition, or daq, module (unfortunately named; I think this has led to some confusion) is essential. On other platforms, Snort can use the "afpacket" daq for inline (IPS) service, but this isn't available on OpenBSD at this point.

Within the "snort.conf" file, Snort can be configured to make use of divert sockets and run inline as follows:

This ISN'T a comprehensive description of snort configuration or rule generation. I use pulledpork.pl run via cron on a daily basis to generate a unified "snort.rules" file and download/keep rules up to date, to choose the "ips_policy" level (which selects the rules enabled for IPS duty), and to modify rules from "alert" to "drop" with pulledpork's "dropsid" functionality. And I'm still experimenting with Snort configurations for improving performance.

But that's basically it.

As for why anyone would do this:
Firewalls are basically whitelisting devices. They allow certain traffic through if the source/destination addresses and ports are right, and packets themselves aren't malformed (of course, they're also useful for rate limiting and traffic shaping, etc.). However, firewalls can't detect whether the content of traffic sent to/from correct addresses and ports is nonetheless malicious. That's where signature-based deep-packet inspection and blacklisting can add additional protection.

A few notes:

This only works on routing firewall configurations. Divert sockets don't seem to work on interfaces configured as part of a transparent (bridging) firewall.

Compiling the Snort and Daq code from Snort.org will not function on OpenBSD for IPS duty. A few years back, Lawrence Teo noticed that the ipfw daq module was handling the creation of divert sockets incorrectly due to a permissions issue (basically, running Snort as root was required, making the standard practice of running it under the "_Snort" user nonfunctional). Only the versions of Snort in the ports/OpenBSD package repositories work correctly, as they include Teo's patch. In other words: just use pkg_add snort to get a working version (daq is a dependency).

Snort is single-threaded. While the divert sockets function is fast, with signature-based detection as Snort does it there are real throughput limits, dependent on the size of the Snort ruleset.

Snort itself does, of course, add an additional attack surface for bad actors to go after. Snort has a pretty good record on this (not a lot of vulnerabilities uncovered since the project started 20 years ago, despite a whole lot of IPS duty) and the authors are responsive to bugs. But running Snort chrooted with the "-t" switch, and under the non-administrator account "_Snort", is a wise idea. If the Snort process fails, note that the configuration above will "fail open" (all traffic not originating on the Snort box will cease).